PT-2014-9095 · Mit+5 · Krb5+6

Tkuthan

Published

1970-01-01

Updated

2024-06-15

CVE-2014-4345

CVSS v2.0

8.5

High

Vector

AV:N/AC:M/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions MIT Kerberos 5 versions 1.6.x through 1.11.x before 1.11.6 MIT Kerberos 5 versions 1.12.x before 1.12.2 krb5 (affected versions not specified)

Description The issue is related to an off-by-one error in the krb5 encode krbsecretkey function in the LDAP KDB module in kadmind, which allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via a series of "cpw -keepold" commands. The vulnerability can be exploited remotely by an attacker who has passed the authentication procedure, leading to a violation of confidentiality, integrity, and availability of protected information.

Recommendations For MIT Kerberos 5 versions 1.6.x through 1.11.x before 1.11.6, update to version 1.11.6 or later. For MIT Kerberos 5 versions 1.12.x before 1.12.2, update to version 1.12.2 or later. For krb5, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

Out of bounds Read

Double Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-189CWE-125CWE-415

Related Identifiers

ALT-PU-2014-2418

BDU:2015-01984

BDU:2015-04296

BDU:2015-04297

BDU:2015-04298

BDU:2015-04299

BDU:2015-04300

BDU:2015-04301

BDU:2015-07299

BDU:2015-09203

BDU:2015-09790

CESA-2014_1389

CESA-2015_0439

CVE-2014-4345

DLA-37-1

DSA-3000-1

MGASA-2014-0345

OPENSUSE-SU-2024:10004-1

RHSA-2014:1255

RHSA-2014:1389

RHSA-2014_1255

RHSA-2014_1389

RHSA-2015:0439

RHSA-2015_0439

SUSE-SU-2014_1028-1

USN-2310-1

Affected Products

Alt Linux

Centos

Mit Kerberos 5

Red Hat

Suse

Ubuntu

Krb5

PT-2014-9095 · Mit+5 · Krb5+6

CVE-2014-4345

Weakness Enumeration

Related Identifiers

Affected Products

References · 128